SS-2016-006: Missing CSRF protection in login form
- Severity:
- Low (?)
- Identifier:
- SS-2016-006
- Versions Affected:
- 3.1.18, 3.2.3, 3.3.1
- Versions Fixed:
- 3.1.19, 3.2.4, 3.3.2
- Release Date:
- 2016-05-11
LoginForm calls disableSecurityToken(), which causes a "shared host domain" vulnerability: http://stackoverflow.com/a/15350123.
Credit: Anthony Thorpe
